The network communications industry is rapidly changing to adjust to emerging technologies and ever increasing customer demand. This customer demand for new applications and increased performance of existing applications is driving communications network and system providers to employ networks and systems having greater speed and capacity (e.g., greater bandwidth). In trying to achieve these goals, a common approach taken by many communications providers is to use packet switching technology. Increasingly, public and private communication networks are being built and expanded using various packet technologies, such as Internet Protocol (IP).
A network node such as a switch or router typically receives, processes, and forwards a packet based on one or more criteria, including the type of protocol used by the packet, addresses of the packet (e.g., source, destination, group), and type or quality of service requested. Additionally, one or more security operations are typically performed on each packet. Before these operations can be performed, a packet classification operation must typically be performed on the packet.
For secure communication over a network such as wireless networks and the Internet, packets exchanged between network nodes are encrypted according to cryptographic standards such as Transport Layer Security (TLS) and Datagram TLS. DTLS mandates that keys be periodically changed to avoid detection. Unlike the TLS standard where bundle of packets are decrypted together, the DTLS standard allows each packet to be decrypted separately. The DTLS change cipher specification is primarily based on the TLS specification with the added benefit that there is an epoch number in the DTLS header that changes with cipher specification changes. Regarding the cipher specification change, the TLS specification indicates that once the ChangeCipherSpec has been sent, the TLS standard mandates that the new CipherSpec must be used. The first node to send the ChangeCipherSpec does not know if the other node has finished computing the new keying material. Thus, there can be a small window of time during which the recipient must buffer the data that has been encrypted with new keys.
TLS is a software based specification. Hence, the buffering of packets received with the new key is considered acceptable. Because DTLS is used by Control and Provisioning of Wireless Access Points (CAPWAP) and other access protocols and devices, future switches and routers may support DTLS in hardware and support multiple Gigabit bandwidths. Because of high performance and bandwidth supported by many access devices (such as switches and routers), the number of packets that can be received and buffered in the window of time while key materials are re-computed may be very large. Furthermore, Quality of Service features in the network can cause reordering of packets to occur due to prioritization. For hardware implementations, the resources required to buffer received packets during re-key operations may be cost prohibitive even with only a couple of gigabit performance.